Win32.Startpage-006(Trj)

Avast says I have this virus on c:\windows\system\ggjogda.dll.
I also get a pop up sign warning for spyware and adware.
What can a novice like me do. Avast wantrepair it.
Can I delete the file without problems for Windows?
Greatful for help.
Jamalin

You can start your PC in safe mode and let Avast scan your PC again. Than it should be able to delete the file.
You also try Avast and Spybotsd (use Google or Boardsearch) for a downloadlink. Download/install/update them and scan your PC.

If there are still some problems left, post a hijackthis log: www.hjt.klaffke.de/en

Hi,

i also have this virus and am wondering if its ok to delete .dll files (running windows ME) - did you have any success?

GPA

ggjogda.dll really don’t sound like any common system file - you can delete it (but I would expect the program that has dropped this file to be somewhere near…)

If you have the “special” Hijack Version, try this one:

ftp://ftp.kaspersky.com/utils/clrav/clrav.com

or read this:
http://www.wilderssecurity.com/showpost.php?p=162440&postcount=4

Thanks Igor and Raman,
I read that article but it all seemed a bit complicated! Is that link for another CWS shredder type of programme?

And i have another question, i defragged my pc since having this virus and various programmes are now acting funny or not runing. do you think i should do a system restore before trying anymore fixes ( i have tried shredder, spybot and avast)? and do i need to disable system restore before i run all these scans (including avast).

Thanks for your help, much appreciated.

No you do not need to disable the SR. Try the CLRAV cleaner. If that does not do the job, post a hijackthis.log: www.hjt.klaffke.de/en

Well, I’ve got the same problem with Win32.Startpage-006(Trj). Avast alarms me in various situations with 2 warnings. First is about a file in temp.int.files dir (m[1].bin or smth like that) and the second one is about a DLL file in winnt/system32 directory. I’ve deleted manually all suspicious DLLs from that dir and it still creates new ones just before every Avast alarm.

I tried:

  • Ad-Aware (it found something, however it didn’t help).
  • CWShredder (after alarms it sometimes finds a trojan and fix it).
  • Hijack This (this one doesn’t find anything)
  • and I also use SpywareGuard (it seems that it finds something only if I let it through avast but doesn’t help at all, only temporary).
  • 2 online scans many times and they didn’t help.
    I also tried Avast in safe-mode - didn’t find anything wrong.

I have no idea what to do :confused: It alarms me when I click a program, open my instant messenger, open IE (I didn’t noticed any problem with Mozilla, maybe becouse I usually use IE)… Everything seems to be ok, and suddenly it strikes back.

system:
Windows 2000 SP4
Internet Explorer 6 SP1 (as far as I remember)
Avast Antivirus
ZoneAlarm Firewall
SpywareGuard

Hi,

please explain what you mean by “didn’t help”:
didn’t find anything, or didn’t remove it… ??

→ please post the hijackthis-Logfile…

By “didn’t help” I wanted to say that I run it several times. It (AdAware) found something and I just removed everything suspicious. However after a few minutes i launch IE and Avast alarms me again about a file in tmp.int.files and a dll in system32 dir.

It is like I find some spyware or startpage-changers… but after I delete them all with a lot of spyware removal software they come back…

I had tried to find some help in the Net (forums or sth like that) and I have found some people with the same problem who had no idea what to do… :confused: I don’t want to reinstall the whole system.


Logfile of HijackThis v1.97.7
Scan saved at 21:28:51, on 2004-06-09
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\The Bat!\thebat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM..\Run: [ASUSTweakEnable] C:\Program Files\ASUS\Tweaking Utilities\atstart.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Go Control\CAMTRAY.EXE
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\VGAProbe.exe FirstTime
O4 - HKCU..\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray
O4 - HKLM..\RunOnce: [SpybotSnD] “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe” /autocheck
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: QuickTV.lnk = C:\AVERTV2K\QuickTV.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: kbutils - https://www.kb24.pl/ikd/kbutils.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

i have the same problem avast tells me i have it just as you have said tried everything as you have the only thing i have found is a file called d3do.dll a superhiden file that i can not get rid of. it is in the system32 folder and security task manager finds it. seached every place done most things but cannot delete it only thing i have not done is try recovery to delete it.

I will give this another week then i think it will be a format >:(

I forgot about it. Yesterday evening I have removed the d3d.dll file from my system32 folder. The problem was that it had been in system memory (Avast finds it while checking memory) and I had to run before the system starts.
After avast finds it (Win32.Trojan-gen{Other}) and tells that in can’t be removed becouse it’s in use, there is a question wether you want to restart your Windowz and run Avast first (before that d3d.dll gets into memory). Try.

well set up avast to scan system32 folder on startup and it found d3do.dll and deleted it now been free of startpage troj for a few days

thanks for the info

hi, i have this virus in system and i can’t get rid of too.
I tried ad aware=no detection,i tried spybot=no detection

Avast detects the virus when i log on to the internet and asks me to repair,delete or move to chest but when i scan and click on repair, it doesnt repair it and says that it can’t process the file blah blah.I used to be able to move it to chest, but now it doesnt move it.Before I was also able to detect the virus with avast (it might move it to chest when i try another time), but now it doesnt detect the win32 startpage006 when i start the pc and use the avast virus scanner straight away nor it can detect it in safe mode.I detected it before but it didnt repair it.
i dont know how to get rid of and i have run out of ideas… plz help

i use 2002 xp,kerio PF
here is my Hj

Logfile of HijackThis v1.97.7
Scan saved at 23:30:53, on 15/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Software Assist\Instant Access\InstantAccess.exe
C:\Program Files\FastNet99\FastNet99.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Avant Browser\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\LeechGet 2004\LeechGet.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\downloads1\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D65946B4-8DA7-4EDB-8317-58DD8252F3C7} - C:\WINDOWS\System32\pfnl.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: UCmore - The Search Accelerator Toolbar - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM..\Run: [BTopenworld] “c:\program files\bt yahoo! internet\DialBTYahoo.exe” /ReInstallAutoDial
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [X-Cleaner Freeware] “C:\PROGRA~1\X-CLEA~1\XCLEAN~1.EXE” -turbo -autostart -NOREBOOT
O4 - Startup: fastnet99.lnk = C:\Program Files\FastNet99\FastNet99.exe
O4 - Global Startup: Instant Access.lnk = C:\Program Files\Software Assist\Instant Access\InstantAccess.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\Wizard.html
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page… - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\Parser.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38026.8246527778
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} (Cltbuilder Class) - http://www.one2one.com/static/class/one2oneSvc.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4339/mcfscan.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.33/EPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip..{C08A1DE7-FF60-4E0F-A7F9-9AA6CE4B1DDC}: NameServer = 213.1.119.97 213.1.119.98

T

Weird. Try to manually find file d3d.dll w system32. When you find it scan that file. In “normal” scan Avast finds it while memory check - don’t stop it before end. If it is the Win32:Startpage-006 then you should delete those dll’s that are in alerts (those created by the trojan) instead of repairing them. You may not have them if you were deleting or moving them every time there was a communicate about the virus.

I have extactly the same problem : startpage-006 is detected by avast AV when I uses IE.
I tried a couple of others AV softs, some CWS and so on, with no result.
I guess the only fix is to reinstall the hole system, which is not a perfect solution !

If somebody has a real fix…

Hi ursule,

please

i also have the same Win32:Startpage-006 [Trj] fuck how i can remove this shit please :frowning: my mail csstefan@o2.pl

Hi Guys,

It seems you all are lucky removing it.

I have the Win32:Startpage-006 [Trj] virus.

I have Ad-aware, CWS-Shreddar, HiTjack-this and Avast

once every day, while my computer is on and connected to internet (im not doing anything) Avast alerts me of a infected dll in system folder, I choose to delete it which is working fine, I then run HiTjack this and there is about:blank and sp.html linked, I remove these, I then run CWS shreddar and it finds and removes CSW-searchx virus, im now free from the virus! Yes I 'm for one or two days and then its back to square one again… WHY???

What is it that Avast can’t find? somewhere on my computer there is a file that is activating all this according to some kind of schedule.

Any idea??

Thanks

Once again. I find HiJack useless.
Try smth like that:
First of all update Avast. Then…

  1. Run Windows in Safe Mode.
  2. Run Ad-Aware and Update it !!!
  3. Run Ad-Aware Scan (select all options, full scan) and delete everything unless you’re absolutely sure that there is smth that should not be removed. If you don’t know what to do… just del all :stuck_out_tongue:
  4. Run CWShredder, UPDATE and run “FIX”.
  5. Go to your WINDOWS/SYSTEM32 dir and make Avast SCAN your “system32” folder.
    DO NOT INTERRUPT THE MEMORY TEST
    Avast should find a file d3d.dll or even some other dll’s. Don’t try to repair them, just delete.
    There may be a problem deleting file d3d.dll so after Avast tells that it cannot remove it, it says that you should run a scan while the system boots. Confirm it. There is a while, when Avast should restart your system. Wait a few seconds. There should be a restart and just before the Windowz loads you should not touch the keyboard (just let Avast do the scanning). After the scan, login, and once again run CWS, Ad-Aware.

And really, DO NOT be afraid to delete unknown files that would be found by spyware removal software.

Hope it’ll help. I wish you luck.

Yosh